Adopting iOS 9 network extension points

[clowwindy]

Network extension points: Use the Packet Tunnel Provider extension point to implement the client side of a custom VPN tunneling protocol. Use the App Proxy Provider extension point to implement the client side of a custom transparent network proxy protocol. Use the Filter Data Provider and the Filter Control Provider extension points to implement dynamic, on-device network content filtering. Each of the network extension points requires special permission from Apple.

[conradev]

Each of the network extension points requires special permission from Apple :(

[clowwindy]

~~Now that Apple allows anyone to run the code on their own devices, we don't have to publish the app on the App Store.~~

No, it still requires some entitlements to run on the devices.

[conradev]

Totally, but - the API documentation is hard to piece together and there is no template in Xcode for the extension point. Gonna have to do some reverse engineering.

[clowwindy]

There's no documentation at all at the moment. The headers of NetworkExtension.framework are public, so we can figure out how to implement the proxy.

I guess we need to subclass NEAppProxyProvider to handle both NEAppProxyTCPFlow and NEAppProxyUDPFlow. And somehow activate the proxy.

Or we can subclass NEPacketTunnelProvider to create a VPN tunnel that handles NEPacketTunnelFlow.

[conradev]

Totally. We need to find the extension point identifier, too. Cisco and OpenVPN need to update their apps...

[clowwindy]

I guess it works just like an app that controls IPSec VPN settings. Before calling manager.connection.startVPNTunnelAndReturnError, we should register our own protocol with

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:(void (^)(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error))completionHandler]

I'll give it a try when I have time.

[conradev]

I'm going to wait for the single WWDC session before diving in

[clowwindy]

NEAppProxyProvider is actually per-app exclusive. Good news is we can use NEPacketTunnelProvider to create global VPN services.

I'm writing to Apple to see if we can get permission for the API.

[blackgear]

A ref: WWDC: What's New in Network Extension and VPN

[icodesign]

Have you made any progress on packet tunnel?

[clowwindy]

Still no reply from Apple.

[icodesign]

I'm writing to Apple to see if we can get permission for the API.

So does this mean only those who have grant permissions from Apple can develop global proxy apps?

[clowwindy]

I'm afraid yes.

[icodesign]

I'm afraid yes.

Sad but reasonable. Good luck with SS. :pray:

[muenzpraeger]

The NEAppProxyProvider API only require a MDM deployed app. That can be "simulated" as described in the video.

[xmxsuperstar]

https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html

[angelovAlex]

There're actually templates for Xcode. You need to install them from

/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/NEProviderTargetTemplates.pkg

But I have not found the way of how to activate a vpn. As there's no shared instance for NETunnelProviderManager I think we need to create a new one.

[NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler:^(NSArray<NETunnelProviderManager *> * __nullable managers, NSError * __nullable error) {

        if (managers.count <= 0){
            NETunnelProviderProtocol *protocol = [[NETunnelProviderProtocol alloc] init];
            protocol.providerConfiguration = @{ @"some parameter" : @"some value" };
            protocol.providerBundleIdentifier = @"com.example.vpn.vpntunnel";

            NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];
            [manager setProtocol:protocol];
            [manager setLocalizedDescription:@"My VPN"];
            [manager setOnDemandEnabled:NO];
            [manager setEnabled:YES];

            [manager loadFromPreferencesWithCompletionHandler:^(NSError * __nullable error) {
                NSLog(@"%@", error);
            }];
        }
    }];

On the line NETunnelProviderManager *manager = [[NETunnelProviderManager alloc] init];, the following message appears in the console app:

6/27/15 5:31:13.845 PM VPNOSX[1403]: Application does not have the required entitlements.

It doesn't say which entitlements and there's no any documentation about it. I want to try this api on MAC OS 10.11. I understand the reason why I need to ask apple for some permission to publish the app with this api to app store, but I can't believe that I have to ask them for permission to run this api on my development machine. Sorry, that's a little bit off topic, but that is the only thread that I found in the internet so far.

[clowwindy]

Yes. You need to send an email to Apple to get the entitlements. And I'm waiting for their reply.

[manjonn]

Any luck on this yet? I am looking at NEAppProxyProvider for a project for a client. I think I do understand some things, but can't be sure till I can run it on the device.

[EkkoG]

https://developer.apple.com/library/prerelease/ios/samplecode/SimpleTunnel/Introduction/Intro.html#//apple_ref/doc/uid/TP40016140

Maybe this demo is helpful to this problem?

[clowwindy]

let newManager = NETunnelProviderManager()

You'll get a warning complaining about missing entitlements when you execute this line of code.

[angelovAlex]

In README.md it says:

The NEProvider family of APIs require the following entitlement:
<key>com.apple.developer.networking.networkextension</key>
<array>
    <string>packet-tunnel-provider</string>
    <string>app-proxy-provider</string>
    <string>content-filter-provider</string>
</array>
</plist>
The SimpleTunnel.app and the provider extensions will not run if they are not code signed with this entitlement.
You can request this entitlement by sending an email to [email protected].

If you try to compile the app with this entitlement, your app will be killed by taskgated daemon. If you like to move com.apple.taskgated.plist from /System/Library/LaunchDaemons with root permission, you will get a nice response:

sudo mv com.apple.taskgated-helper.plist ~
mv: rename com.apple.taskgated-helper.plist to /Users/alex/com.apple.taskgated-helper.plist: Operation not permitted

means that you are not admin now, you are nothing and you are in sandbox:

7/9/15 12:37:27.138 PM sandboxd[113]: ([3711]) mv(3711) System Policy: deny file-write-unlink /System/Library/LaunchDaemons/com.apple.taskgated-helper.plist

[muenzpraeger]

We just received the entitlements.

[clowwindy]

Got the entitlements, too.

[jedisct1]

[jedisct1]

Did you apply as an individual or as a company?

I didn't dare filling the form because it seemed like you had to apply as a company.

[clowwindy]

I applied as an open source organization. I explained a bit about this project in the Company name and address field.

[clowwindy]

Update:

Now I can get a virtual tun device running and route packets through UDP. While I find it a little hard to debug as I can't attach to the extension.

[clowwindy]

Now I have ShadowVPN fully working on an iPad. The next step is to add UI, etc.

https://github.com/clowwindy/ShadowVPNiOS

[clowwindy]

Jul 19 12:17:56 new-iPad ShadowVPN(NetworkExtension)[1242] <Notice>: MDM must be used to create NEAppProxyProvider configurations

Looks like NEAppProxyProviderManager isn't for us. Thus to implement Shadowsocks for iOS, we need convert it to a VPN. Maybe we have to port tun2socks to iOS.